While DragonFlyBSD 5.3/5.4 is exciting on the performance front for those making use of the stable DragonFly operating system releases, DragonFlyBSD 5.2.1 is available this week.

This is the first and perhaps only point release over DragonFly 5.2.0 that premiered back in April. DragonFlyBSD 5.2 brought stabilization work for HAMMER2 to make it ready for more users, Spectre and Meltdown kernel work, and months worth of other important updates.

From time to time I come across news articles about Governmental bodies in Europe adopting the use of Open Source Software. This seems to be a slowly increasing trend. But if European Governments make software for themselves, or are having it made for them, do they publish that software as Open Source?

This was a question that came up in a meeting at one of my clients. To find an answer, I asked my friends at the FSFE NL-team and did a Quick Scan. Here are the results.

Chris Wysopal, CTO of Veracode, said that “the universal use of components in application development means that when a single vulnerability in a single component is disclosed, that vulnerability now has the potential to impact thousands of applications – making many of them breachable with a single exploit.”.

Since Redis has not authorized the disclosure of the attack method of root authority of Linux system, because of its ease-of-use, the hacking behaviors of mining and scanning of Linux services by using this issue have been endless. Among the many cases that handle this problem to invade the server for black production, there is a class of mining that USES this problem and can automatically scan the infected machine with pnscan. The attack has always been there, but it has shown a recent trend of increasing numbers, which has been captured many times, and we've been able to do a specific analysis of it.

The Turla cyberespionage group has implemented some new tactics over the last few months incorporating some open-source exploitation tools instead of relying solely on their own creations to run campaigns.

ESET researchers found that starting in March the Turla has been leveraging the open-source framework Metasploit to drop the group's proprietary Mosquito backdoor. The group has periodically used open-source hacking tools for other tasks, but ESET believes the group has never before used Metasploit as a first stage backdoor.

Crackers are so to speak the evil hackers. Although these very often also do not offer the possibilities in order to do justice to the descriptions of the media. Then there are the would-be hackers, also called ScriptKiddies who use themTrojan2 and pre-programmed programs to get into computers and do damage.

The “Kiddie” leads is a departure from the English “kid” (child), since young people are often behind such attacks. Due to their young age and lack of experience, ScriptKiddies often do not even know what they are doing. Let me give you an example. I have seen ScriptKiddies that use methods to intrude into Windows NT Calculator tried to break into a Linux machine. ScriptKiddies are often bored teenagers who try to have fun with the first tool. These tools are usually so simply knitted that actually, each normal, somewhat educated user can serve them.

[...]

According to Blendrit, co-founder at Tactica “One thing is clear: this language culture is constantly evolving, and many words find their way into the media, where they have a completely different meaning. Just as our most famous word, “hacker”, has fared.”

The open source Kata Containers project, an effort to combine the security advantages of virtual machines with the deployment and management advantages of software-based containers, hit its 1.0 milestone on Tuesday.

Forged from a merger of Intel’s Clear Containers and Hyper’s runV announced last December, Kata Containers delivers an Open Container Initiative (OCI)-compatible runtime that addresses the downside of traditional container architecture, a shared kernel.

The OpenStack Foundation made Zuul, an open source continuous integration/continuous development (CI/CD) platform, into an independent project. Zuul also released version 3 of its software.

Zuul was originally developed for OpenStack CI testing and has since attracted contributors and users across many different organizations, including BMW, GoDaddy, OpenLab, and Wikimedia. It’s the third project to be managed by the OpenStack Foundation, joining OpenStack and Kata Containers.

I have a lot of thoughts about the recently published efail vulnerability, so I thought I'd start to writeup some of them. I'd like to skip all the public outrage about the disclosure process for now, as I mainly wanted to get into the technical issues, explain what I think went wrong and how things can become more secure in the future. I read lots of wrong statements that "it's only the mail clients" and the underlying crypto standards are fine, so I'll start by explaining why I believe the OpenPGP and S/MIME standards are broken and why we still see these kinds of bugs in 2018. I plan to do a second writeup that will be titled "efail: HTML mails are to blame".

I assume most will have heard of efail by now, but the quick version is this: By combining a weakness in cryptographic modes along with HTML emails a team of researchers was able to figure out a variety of ways in which mail clients can be tricked into exfiltrating the content of encrypted e-mails. Not all of the attack scenarios involve crypto, but those that do exploit a property of encryption modes that is called malleability. It means that under certain circumstances you can do controlled changes of the content of an encrypted message.

[...]

Properly using authenticated encryption modes can prevent a lot of problems. It's been a known issue in OpenPGP, but until know it wasn't pressing enough to fix it. The good news is that with minor modifications OpenPGP can still be used safely. And having a future OpenPGP standard with proper authenticated encryption is definitely possible. For S/MIME the situation is much more dire and it's probably best to just give up on it. It was never a good idea in the first place to have competing standards for e-mail encryption.

For other crypto protocols there's a lesson to be learned as well: Stop using unauthenticated encryption modes. If anything efail should make that abundantly clear.

A Comcast Xfinity website was leaking Wi-Fi names and passwords, meaning now is a good time to change your Wi-Fi passcode.

The site, intended to help new customers set up new routers, could easily be fooled into revealing the location of and password for any customer’s Wi-Fi network. A customer ID and a house or apartment number was all would-be attackers needed to get full access to your network, along with your full address.

At the recent Red Hat Summit in San Francisco, and more recently the OpenStack Summit in Vancouver, the OpenStack engineering team worked on some interesting demos for the keynote talks.

I’ve been directly involved with the deployment of Red Hat OpenShift Platform on bare metal using the Red Hat OpenStack Platform director deployment/management tool, integrated with openshift-ansible. I’ll give some details of this demo, the upstream TripleO features related to this work, and insight around the potential use-cases.

In 2016, we surveyed our customer base on their use of OpenStack in production, getting a pulse-check on the top considerations, expectations, and benefits of a Red Hat OpenStack Platform deployment. With 2018 marking five years of Red Hat OpenStack Platform, we checked back in with our customers to see if their experiences or expectations of OpenStack have changed. Our survey found:

Juniper Networks and Red Hat have tightened their integration efforts in a move to help ease enterprise adoption of cloud-native platforms and bolster their own offerings against the likes of VMware and Cisco.

The latest platform integration includes the Red Hat OpenStack Platform; Red Hat’s OpenShift Container Platform running as a platform-as-a-service (PaaS) on top of or next to the OpenStack platform depending on deployment architecture; and Juniper’s Contrail Enterprise Multi-Cloud platform running as the networking and security layer to unify those together. This integration is designed as a managed system to help deploy and run applications and services on any virtual machine (VM), container platform, and any cloud environment.

Red Hat today rolled out a hyperconverged infrastructure (HCI) platform based on OpenStack compute and Ceph storage. The new product targets service providers looking to deploy virtual network functions (VNFs) and 5G technologies on top of open source software.

Launched at this week’s OpenStack Summit, the Red Hat Hyperconverged Infrastructure for Cloud combines Red Hat OpenStack Platform 13 and Red Hat Ceph Storage 3 into one product. Red Hat says it is the largest contributor to both open source projects.

This time, I am working on improving the Fedora Community App with the Fedora project. It’s been a week since we started off our coding on may 14.

The Fedora App is a central location for Fedora users and innovators to stay updated on The Fedora Project. News updates, social posts, Ask Fedora, as well as articles from Fedora Magazine are all held under this app.

At OpenStack Summit in Vancouver, Canada, the opening keynote speeches started out the way they usually do. There were demos, there were companies saying how their latest release was the best thing since sliced bread... and then, there was Canonical CEO and Ubuntu Linux founder Mark Shuttleworth. Shuttleworth came out firing at two of his major enterprise OpenStack competitors: Red Hat and VMware.

Shuttleworth opened quietly enough, saying, "Mission is to remove all the friction from deploying OpenStack. We can deliver OpenStack deployments with two people in less two weeks anywhere in the world." So far, so typical for a keynote speech.

Endless running has always been a favorite for hardcore as well as casual gamers. Creating a high score while running endlessly through various traps, hurdles and scenes. You receive various power-ups and boosters on your way and most probably there is someone trying to catch you

For those who don't know about this Linux distro, Fedora is one of those Linux distributions that comes released with cutting-edge software rather than staying on the same boat with other distributions that prefers stability. Fedora comes in three flavors: Workstation, Server, and Atomic. I'll be reviewing Fedora Workstation; used by many developers and users as their general purpose computing platform.

Browser updates: both Google Chromium (66.0.3359.181) and Palemoon (27.9.2) released new versions last week which I packaged for Slackware 14.2 and -current. The Palemoon update contains CVE-tagged security fixes. You are advised to upgrade.

Debian has three Google Summer of Code students in Kosovo this year. Two of them, Enkelena and Diellza, were able to attend OSCAL. Albania is one of the few countries they can visit easily and OSCAL deserves special commendation for the fact that it brings otherwise isolated citizens of Kosovo into contact with an increasingly large delegation of foreign visitors who come back year after year.

Tesla has released some of the source code for its in-car tech. Engadget reports that the company "has posted the source code for both the material that builds the Autopilot system image as well as the kernels for the Autopilot boards and the NVIDIA Tegra-based infotainment system used in the Model S and Model X."

Following five years of hectoring, Tesla has released a portion of the open-source code it's obligated to provide under the terms of the GNU General Public License (GPL).

Since 2013, the Software Freedom Conservancy (SFC), responding to complaints of GPL violations related to software in the Tesla Model S, has pressed the carmaker to comply with the terms of the GPL.

The SFC provides legal support to open source projects. In theory, Tesla could be sued for flouting the GPL, but even the SFC, which backed the controversial GPL claim against VMware, prefers resolving compliance issues outside of court.

FALCON-Phase is available as open source to scientists and also as a service through Phase Genomics. Scientists can utilize the new software to advance their current research and even revive historic genome projects with the addition of Hi-C data.

Grafana is an open source, feature rich, powerful, elegant and highly-extensible analytics and monitoring software that runs on Linux, Windows and MacOS. It is a de facto software for data analytics, being used at Stack Overflow, eBay, PayPal, Uber and Digital Ocean – just to mention but a few.

It supports 30+ open source as well as commercial databases/data sources including MySQL, PostgreSQL, Graphite, Elasticsearch, OpenTSDB, Prometheus and InfluxDB. It allows you to dig deeply into large volumes of real-time, operational data; visualize, query, set alerts and get insights from your metrics from differen

After more than a year of work, I’m pleased to release another version of heaptrack, the Linux memory profiler! The new version 1.1.0 comes with some new features, significant performance improvements and – most importantly – much improved stability and correctness. If you have tried version v1.0 in the past and encountered problems, update to the new v1.1 and try again!

Oregan said that the open standards-based offering resolves the differences between the current security and performance requirements of modern-day TV services and the hardware capabilities of STBs that were deployed up to a decade ago.

Linux apps on Chrome OS is one of the biggest developments for the OS since Android apps. Previous reports stated Chromebooks with certain kernel versions would be left in the dust, but the Chrome OS developers have older devices on the roadmap, too.

When Google first broke silence on Linux app functionality, it was understood that Linux kernel 4.4 was required to run apps due to dependencies on newer kernel modules. Thanks to an issue found on Chromium’s public bugtracker, we have confirmation that containers won’t be limited to the handful of Chrome OS devices released with kernel 4.4.

There still are several weeks to go until the Linux 4.17 kernel will be officially released and for that to initiate the Linux 4.18 merge window, but we already know some of the features coming to this next kernel cycle as well as an idea for some other work that may potentially land.

I feel a deep responsibility. It’s interesting, because when I started with Red Hat I was in the legal organisation and I didn’t notice there weren’t that many women. But when I moved over to the people team and I looked at the data it was a bit of a revelation – there were hardly any women here and I had no idea. From that point forward, it’s been something I’ve been thinking about – how can we can counter this?

When we were really small there was limited resources to do anything different, but as we started to get bigger and more successful, I started having more latitude to really start diving into it and exploring possible solutions.

“Google, IBM, Microsoft [are] all investing and innovating to drive down the cost of infrastructure. Every single one of those companies engages with Canonical to deliver public services,” he said.

“Not one of them engages with VMware to offer those public services – they can’t afford to. Clearly they have the cash, but they have to compete – and so does your private cloud.”

To capitalise on this trend, the firm is in the throes of rolling out a migration service to help users shift from VMware to a “fully managed” version of Canonical’s Ubuntu OpenStack distribution, which Shuttleworth said costs half as much to run.

“When we take out VMware, and displace VMware, we are regularly told that a fully managed OpenStack solution costs half of the equivalent VMware estate [to run],” he added.

More in Tux Machines

WhiteSource Rolls Out New Open Source Security Detector

WhiteSource on Tuesday launched its next-generation software composition analysis (SCA) technology, dubbed "Effective Usage Analysis," with the promise that it can reduce open source vulnerability alerts by 70 percent.
The newly developed technology provides details beyond which components are present in the application. It provides actionable insights into how components are being used. It also evaluates their impact on the security of the application.
The new solution shows which vulnerabilities are effective. For instance, it can identify which vulnerabilities get calls from the proprietary code.

Announcing “e Foundation” for eelo

I’m pleased to announce that a non-profit organization has been incorporated to support the project: e Foundation.
“e Foundation” will host core eelo assets and fuel the development of eelo software.
This non-profit organization will be able to receive private and public grants, as well as donations from individuals, from anywhere in the world. We’re also working to add a legal way so that donations could benefit from tax cuts, as it’s often possible when donating to “in the public interest” organizations.
As soon as a bank account will be ready for “e Foundation”, we will move there all donations and our “in demand” crowdfunding campaign.

RIP Robin "Roblimo" Miller

Linux Journal has learned fellow journalist and long-time voice of the Linux community Robin "Roblimo" Miller has passed away. Miller was perhaps best known by the community for his roll as Editor in Chief of Open Source Technology Group, the company that owned Slashdot, SourceForge.net, freshmeat, Linux.com, NewsForge, and ThinkGeek from 2000 to 2008. He went on to write and do video interviews for FOSS Force, penned articles for several publications, and authored three books, The Online Rules of Successful Companies, Point & Click Linux!, and Point & Click OpenOffice.org, all published by Prentice Hall.

The open source, Linux based “AsteroidOS” alternative to Wear OS arrives in a stable 1.0 release, and Block spins off some of its Android smartwatch stack as an open source OpenWatch Project.
The AsteroidOS project has released version 1.0 of its open source, Linux-based smartwatch distribution. Designed for after-market installation on “Wear OS by Google” (formerly Android Wear) watches, AsteroidOS can now be dual booted on seven different models. The release follows the late March announcement of an OpenWatch Project for building Android based open source custom ROMs on Wear OS watches.

Purism has published their nearly final specifications on their limited-run Librem 5 Dev Kit. The cutoff for ordering a developer kit is next week as they are placing their hardware order and planning on only this single, limited run of the developer kit prior to the phones becoming available next year.
Their deadline for ordering a developer kit is the end of the month and the kit price has raised to $399 USD. In the process, Purism believes they are still on track for their January 2019 for coming up with having the phone's actual hardware ready.